pf » Firefox Now Supports HttpOnly Cookies

July 19, 2007

Firefox Now Supports HttpOnly Cookies

You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1. Firefox 2.0.0.5, which was released just the other day, now supports it.

When a cookie is HttpOnly the web browser should (see note about firefox implementation below) not allow client side scripts such as JavaScript to have access to the cookie. This can help mitigate the effects of cross site scripting (XSS) attacks.

To set a HttpOnly cookie with ColdFusion you need to use cfheader since cfcookie doesn't yet support HttpOnly.

<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">

It would be nice if the cfcookie tag simply had an attribute HttpOnly=true/false. Go make a wish. While you are at it it would also be nice to have a setting to make the CFID, CFTOKEN and jsessionid cookies httpOnly, or secure cookies.

Here's a MSDN doc with some additional info about HttpOnly.

Firefox's implementation of HttpOnly however still leaves open a big hole, as RSnake points out, you can do an XMLHttpRequest to get the cookie values from the HTTP response headers. When I test in IE 6 (RSnake's example doesn't work in IE), I don't have access to the Set-Cookie from the AJAX HTTP response header. +1 for MSIE.

Permalink | Add Comment |

add to del.icio.us | Tags: security, cookies, httponly, firefox, ie, microsoft, ajax

Related Entries

AJAX on IE - back to the IFRAME - August 17, 2005
Top 20 Internet Security Vulnerabilities of 2005 - November 23, 2005
The Proper Content Type for XML Feeds - June 13, 2005
Web Standards Browser Test - April 14, 2005
Objection - Firefox Extension for removing Local Shared Objects - April 11, 2005

8 people found this page useful, what do you think?

Trackbacks

Trackback Address: 644/7BA6CDA184ED00E36C269C3AFB1E2FB5

Comments

On 07/19/2007 at 4:17:55 PM MDT Jeremy Prevost wrote:

Either I'm miss reading something or you forgot the word "not" in the first sentence of the second paragraph (before the parenthesis).

On 07/19/2007 at 6:18:44 PM MDT David A Herman wrote:

Shouldn't that be NOT allow? I was confused until I went to the MSDN site.

On 07/20/2007 at 4:39:18 AM MDT Tom Chiverton wrote:

You left a 'not' out of the 2nd paragraph - that confused me for a while because TFA goes on to say 'This attribute specifies that a cookie is not accessible through script. By using HTTP-only cookies, a Web site eliminates the possibility that sensitive information contained in the cookie can be sent to a hacker's computer or Web site with script.'

On 07/20/2007 at 7:44:19 AM MDT Dan G. Switzer, II wrote: